Conducting Dependent Eligibility Audits: Optimizing Data Security

Throughout the dependent eligibility audit, staff members are required to submit a large amount of sensitive data for verification purposes. These documents can include birth certificates, marriage licenses, divorce decrees, tax documents, and many other pieces of identification. One of the main concerns facing employees during the auditing process is the security involved in keeping this sensitive data safe – while keeping all audit requirements up-to-date. One of the first things an employer needs to do is verify the vendor’s ability to safeguard this sensitive information throughout the dependent eligibility audit. While there are a variety of different security controls that need to be in place, it’s also important that any vendor or subcontractor working within your company complies with HIPAA requirements and understands how the Affordable Care Act works (security requirements and employer-sponsored health plans).

Security with Document Submission

Although there are multiple methods of submitting documentation to the vendor, it’s important to remember the following tips for any mailed/faxed information:

If the vendor is using mail submission, documents should be sent directly to the vendor.

Ensure the vendor has a storage facility to handle and sensitive documents, complete with security cameras, limited access, and other measures to ensure the safety of the data.

If a vendor is using fax submission, the machine should be maintained in an area with limited access.

If the fax machine will transfer submissions to an electronic method, ensuring the proper safety locks and computer passwords are in place will severely limit the potential for exposed data. Likewise, it will ensure the documents cannot be emailed or saved to a USB device.

If a vendor is using electronic file sharing, it is critical that they use Secure FTP.

For any electronic file transfer, sensitive data should be encrypted (256-bit encryption) at all times—in motion and at rest.

The vendor’s internal IT environment should be secured with actively managed firewalls for all web servers and their Local Area Network.

To be in full compliance with HIPAA’s final rules and to eliminate disclosures of PHI and PII, dependent eligibility verification vendors should submit to annual reviews from independent auditors, including HITECH/HIPAA reviews, to ensure all practices, procedures, policies, system architecture, and encryption technologies are in place to protect the privacy and confidentiality of sensitive data.

Few vendors are able to meet these qualifications. Among the certifications, the SSAE 16 SOC 2 Type II Certification and HIPAA Compliance audits are most relevant.